Dynamic executable code (e.g., JAVASCRIPT code) may be modified during execution, and such code may be executed on devices that are both local to a client, and external to the client. For example, as web applications have become popular with many users, the applications may include such dynamic executable code, and may provide services to users via code that executes locally, with references to potential sources of executable code on external devices that are not under the control of the individual user, thus introducing potential vulnerabilities to individual users. For example, cross-site scripting has become a prominent source of security issues that may cost significant revenue to resolve.
As an example, a Document Object Model (DOM) XSS detection technique may rely on testing a website by parsing all or a portion of a web page and its resources. Based on that, an analysis may provide warnings which may result in potential issues on the page. While this approach is suitable to discover some security bugs, it may provide false-positives, such that a security researcher may expend further resources to determine what is actually an error and what is expected behavior. Further, such static analysis may be limited in its capabilities with regard to inspecting dynamic languages (e.g., in attempting to statically determine the make-up of a dynamic language program at any point during runtime). Potential challenges in this area may include determining load ordering of files, accounting for Application Programming Interfaces (APIs) that may be constructed at runtime and may not be explicitly represented in source, and other elements of the page which are not generated on the client.
Approaches to resolving such issues may involve authoring a dynamic analysis which loads and/or exercises an unmodified, actual page while seeding it with fuzzed/dangerous sources (i.e., data points which are user-controlled and can be put to malicious purposes). This approach may be effective but raises issues of its own. For example, execution may be slow for these systems. For example, testing may be performed on an actual page, which may have undesirable side effects (e.g., provoking permanent changes on supporting servers, putting undesirable load on a site, etc).